Bash Vulnerability CVE-2014-6217 and CVE-2014-7169
CVE-2014-6217 is a critical vulnerability in all versions of GNU Bash, the Bourne Again Shell. This vulnerability allows an attacker to execute arbitrary shell commands any time a Bash shell executes with environmental variables supplied by the attacker. On cPanel & WHM systems, there are numerous entry points where this vulnerability could be exploited.
CVE-2014-7169 is a second vulnerability in all versions of GNU Bash. This second CVE covers attack vectors that were not fixed in the initial updates for CVE-2014-6217. Targeting CVE-2014-7169 is more complicated for an attacker. The authors of GNU Bash are currently working on updates to address CVE-2014-7169.
For Example:
ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to
bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in Bash, or spawn subshells. Such subshells are
implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
PHP scripts executed with mod_php are not affected even if they spawn subshells.
DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
Any other application which is hooked onto a shell or runs a shell script as using Bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.
For cPanel Servers
cPanel & WHM does not provide any copies of the Bash shell. The Red Hat, CentOS and CloudLinux operating systems that cPanel & WHM is installed on provide the Bash shell as their default /bin/sh interpreter. All three distros have published patched versions of the Bash shell to their mirrors to address CVE-2014-6217.
To update any affected servers,
-Run “yum clean all” to clear YUM’s local caches
-Run “yum update” to install the patched version of Bash.
–Reboot the server.
You can ensure you are updated by running the command “rpm -q bash”. The package information displayed should match the version numbers provided by Red Hat at https://access.redhat.com/solutions/1207723
You should repeat the update process once RedHat, CentOS and CloudLinux are released new updates for CVE-2014-7169.
cPanel also recommends that you configure the system to automatically update both the base operating system and the cPanel & WHM software automatically.
These settings are located in WHM’s “Update Preferences” interface.
For more details, please refer with Redhat
https://access.redhat.com/articles/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
